Security and Trust in Mobile Devices

Abdulrhman AlkhaniferRicardo Figueroa

DEVICES - Introduction

• Mobile devices serve as access points to data stored either locally or in some remote server.

• Currently there are 5.3 billion mobile users around the world (77% of the world population)1 .

• How many of them are smartphones?

1 [International Telecommunication Union (October 2010), mobiThinking, http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats]

DEVICES - Smartphone Market ShareOS 2011 Market Share1

Android 38.5%

Blackberry 13.4%

iOS 19.4%

Symbian 19.2%

Windows Mobile 5.6%

Others 3.9%

Total smartphones 468 million8.83% (468/5300) of mobile users use smartphones (excluding tablets)

1 [Worldwide Mobile Communications Device Open OS Sales to End Users by OS, Gartner, http://www.gartner.com/it/page.jsp?id=1622614]

DEVICES - Why is it important to think about Security and Trust?

• Mobile devices are “single user OS” which is very different from laptop or desktop OS’s security point of view.

• Most mobile users do not realize the potential risk of exposing information, or identity theft.

• Mobile devices serve as access points to personal and/or corporate information and are more accessible than laptop or desktop computers.

DATA - SensitivityData Type Example

Personal Data Account numbers, SSN, photos, calendar info, email, physical location

Business Data Corporate financial information, corporate intellectual property (trade secrets, product launches), business email

Non-sensitive Data Songs, random pictures, etc.

DATA - What is the value if lost?Value Example

Sentimental Value Family photos

Financial Value Bank Account No., SSN

Time Value Contacts and Calendar

Privacy Value Medical Records, University ID

DATA - Where does it reside?Storage Type Example Ownership

Local Storage Device internal memory User

Removable Storage SIM card, SD, Micro SD etc. User

Cloud Service iCloud, Amazon Cloud Drive User and storage provider

Service Provider Gmail servers, Online banking User and storage provider

DATA - Accessibility Threats Physical Access

Pin number and password

Owner behavior

Eavesdropping

Internet and Wireless Access

Bluetooth

GSM

Blackberry

Privacy

GPS enabled tracking

Custom profiling

ACCESS - Physical Access

• PIN number typically of 4-6 numbers.• A 4-digit pin number requires 10000 tries (using

brute force attack) which is not impossible!• Password.• Auto-lock feature.– iPad 2 issue before iOS 5 and smart cover

• Some users do not use PIN number or password.• Easy to break a 4-digit PIN number by

eavesdropping.

ACCESS - Internet and Wireless Access

• Bluetooth Attacks1:– Bluesnarfing (2003-2004)– Bluebugging– Bluejacking– Denial of service (DoS)

1 [A menu of Bluetooth attacks, Governoment Computer News, http://gcn.com/Articles/2005/07/20/A-menu-of-Bluetooth-attacks.aspx]

ACCESS – GSM Security Features

• GSM encryption mechanism is based on a symmetric stream cipher.

• The key for encryption is established as part of the authentication protocol.

• 64-bit A5/1 GSM encryption1.• 128-bit A5/3 GSM encryption [2007].• 4G (LTE): 128-bit AES, or 128-bit SNOW 3G2.

1 [Karsten Nohl, 1988, http://www.engadget.com/2009/12/29/gsm-call-encryption-code-cracked-published-for-the-whole-world/]2 [Security in the LTE-SAE Network, documentation, Agilent Technologies, http://www.home.agilent.com/upload/cmc_upload/All/Security_in_the_LTE-SAE_Network.PDF?&cc=US&lc=eng]

ACCESS - 3G Encryption

• Is the data transmitted over 3G/4G network secure?– “Israel's Weizmann Institute of Science went

ahead and cracked the KASUMI system -- a 128-bit A5/3 algorithm implemented across 3G networks -- in less than two hours”1,2 .

1 [3G GSM encryption cracked in less than two hours, engadget, Jan 2010, http://www.engadget.com/2010/01/15/3g-gsm-encryption-cracked-in-less-than-two-hours/] 2 [3G encryption can be broken in 2 hours, 'suggest' security experts, http://www.fiercewireless.com/europe/story/3g-encryption-can-be-broken-2-hours-suggest-security-experts/2010-01-15]

ACCESS - Blackberry

• Uses BlackBerry1 OS.• Every Phone has a BlackBerry PIN (8 hexadecimal Number).• BlackBerry uses Standard, Triple DES and AES encryption schemes2.• Issues in some countries:

– India: In January 2011, RIM gave India access to its consumer services, including its Messenger services, but said it could not allow monitoring of its enterprise email.

– Saudi Arabia: Saudi Arabia has threatened to ban the service, but reportedly it was close to reaching an agreement with RIM to set up a server for the service inside the Kingdom.

– UAE: In October 2010, UAE tried to ban the service requesting to bring servers inside the country, however their request was denied. Later, blackberry services were back.

1 [http://en.wikipedia.org/wiki/BlackBerry] 2 [http://docs.blackberry.com/en/admin/deliverables/12873/Standard_BlackBerry_message_encryption_193608_11.jsp]

ACCESS - Privacy: Geotagging

• Adding geographical identification to photographs, video, websites and SMS messages.

• It is the equivalent of adding a 10-digit grid coordinate to everything you post on the internet1.

• In some smartphones this information is embedded with every picture taken by that device.

• Many social applications allow users to share their location (Facebook, Twitter, Flicker, etc.).

1 [http://www.slideshare.net/NavalOPSEC/geotagging-safety]

ACCESS - Is Geotagging potentially dangerous?

• It can establish personal patterns. It could potentially be easy to identify a user’s daily routine and times.

• Exposing home and work addresses.

ACCESS – Geotagging: Example1

• Adam Savage, of “Myth Busters”, took a photo using his phone and posted it on his Twitter account with “off to work” as the message.

• His photo contained metadata revealing the exact geographical location of his house.

1 [Web Photos That Reveal Secrets, Like Where You Live , August 11, 2010, The NY Times, http://www.nytimes.com/2010/08/12/technology/personaltech/12basics.html?pagewanted=all]

ACCESS - Privacy: Custom Profiling

• Malls used phones signals to track shoppers on black Friday1.

• Could lead to spam advertisement.

1 [http://money.cnn.com/2011/11/22/technology/malls_track_cell_phones_black_friday/index.htm]

Recommendations on how to better protect your data

• Use password and auto-lock feature.• Do not auto save passwords in applications.• Do not let your mobile device out of your sight. • Make sure that your phone OS and apps are updated.• Try not to use un-secure wireless hotspots.• Encryption on local drive and external flash drives:

– Windows mobile: SecuBox, 3rd party application1.– Android: Droid Crypt, AnDisk Encryption, 3rd party uses AES 128-bit2. – iPhone: no apps available yet, some apps for encrypting voice calls and

messages.– Blackberry: offers “content protection” that encrypts all data in the device4.

• Subscribe with remote wipe (if available).• Possible newer security methods like Picture Password3.1 [http://www.aikosolutions.com] 2 [http://www.pcworld.com/article/242650/how_to_encrypt_your_smartphone.html] 3 [http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx]4 [http://docs.blackberry.com/en/smartphone_users/deliverables/1487/About_content_protection_29009_11.jsp]

Questions?